cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists

What can I do to moderate the user topics of newly registered users?

  • Tip Category - Installation and Upgrading
  • Tip Added By - PaulHarvey - 04 Feb 2012 - 10:08
  • Extensions Used -
  • Useful To - Beginners
  • Tip Status - New
  • Related Topics - Support.Faq12

Problem

When a Foswiki installation is publicly accessible from the internet, and you need to allow registrations, this inevitably attracts spammers. Even if you restrict permissions so that newly registered users cannot change or add any content, they can still use the fields provided in the UserRegistration form to create keyword/link spam or, on Foswiki versions 1.1.4 and earlier, malicious HTML/script code (see Support.SecurityAlert-CVE-2012-1004).

Context

The default user registration mechanism is in use, and it is set up to allow registrations. Additionally, the installation is public, and public registrations need to be supported.

Solution

Prevent the user registration process from creating a reward for the spammer: restrict VIEW access on new user topics, so that search engines do not index the content, and prevent innocent clicks to the user topic from potentially exposing them to malicious script (but do ensure your Foswiki installation is up-to-date).

Customize your existing System.NewUserTemplate by copying it to Main.NewUserTemplate, and add something like the following:
---++ Temporary restrictions
This user ([[%WIKIUSERNAME%][%WIKINAME%]]) needs to be added to a [[WikiGroups][WikiGroup]], then the following restrictions should be removed by somebody from the Main.ModeratorGroup:
   * Set ALLOWTOPICVIEW = Main.ModeratorGroup, %WIKIUSERNAME%
   * Set ALLOWTOPICCHANGE = Main.ModeratorGroup

Known Uses

http://wiki.trin.org.au

Known Limitations

Removing bogus/spammer user topics needs to be coordinated with removal of the corresponding username/pass/email lines from the .htpasswd file (if using the default HtPasswdUser password manager).

See Also

BestPracticeTipsForm edit

Category Installation and Upgrading
Related Topics Faq12
Topic revision: r5 - 27 Mar 2012, CrawfordCurrie - This page was cached on 11 Jul 2018 - 14:25.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy